LAB MANUAL FOR GUIDE TO COMPUTER
FORENSICS AND INVESTIGATIONS
CHAPTER ONE: UNDERSTANDING THE DIGITAL FORENSICS
PROFESSION AND INVESTIGATIONS
Lab 1.1: Installing OSForensics in Windows
1. Why is OSForensics an important forensics tool?
a. It can be used to troubleshoot a computer
b. It can be used to test a computer’s operability
c. It can be used to help digital forensics investigators locate potential evidence
d. It can be used to recover human DNA
2. OSForensics can search for which of the following types of files? (Choose all that apply)
a. Email
b. Graphic
c. Deleted files
d. Registry files
3. What’s a file hash?
a. A hexadecimal value obtained mathematically from a file
b. The name of a software program’s vendor or manufacturer
c. The size of the computer’s hard disk
d. The file size of potential evidence
4. Which of the following statements is true?
a. File hash information can be found in File Explorer
b. File hashes can verify that the chain of custody has been maintained
c. File hashes can indicate that software has been purchased legally
d. File hashing values are not important to a digital investigator
5. OSForensics uses hash sets for what purpose?
a. Hash sets are used to identify known file hashes used by OSs and applications
b. Hash sets are used to identify the OS version in use on the computer being
investigated
, c. Hash sets are used to see which software has been purchased legally
d. Hash sets are used to copy evidence from the investigated computer to a USB drive
Lab 1.2 Installing FTK Imager
1. FTK Imager can be used to search all the following excerpt what?
a. Deleted files
b. Documents
c. Graphics
d. Encrypted files
2. FTK Imager is used primarily to produce which of the following?
a. Hard disk images that can be analyzed by forensics software
b. Forensic evidence
c. Computer manufacturers information
d. DNA evidence
3. Why do forensics investigators work bit-stream images?
a. Image files are smaller than the actual hard disk files.
b. Only image files contain forensic evidence
c. An image file can be examined without damaging the original image evidence
d. The original storage device can’t be analyzed without the original computer
4. FTK Imager can detect and view encrypted files. True or False?
5. Bit-stream imaging is the process of ___________________
a. creating hash values from file on a storage device
b. extracting readable information from encrypted files
c. duplicating data on storage devices for forensic analysis
Lab 1.3 Installing ProDiscover Basic
1. ProDiscover can be used to search all the following file systems except __________
a. FAT16
b. HFS+
c. NTFS
d. FAT32
,2. The Exif format contains information on which of the following? (Choose all that apply)
a. Date and time a photo was taken
b. The shutter speed
c. When the camera was purchased
d. The camera model
3. ProDiscover can search digital devices for which of the following? (Choose all that apply)
a. Macintosh files
b. RAID data
c. Linux files
d. UNIX files
4. ProDiscover isn’t capable of producing file bash values. True or False?
5. Which of the following statements is correct?
a. ProDiscover can decrypt encrypted Microsoft Word documents
b. ProDiscover can decrypt encrypted Microsoft Excel spreadsheets
c. ProDiscover can decrypt encrypted email files
Lab 1.4 Installing AccessData Registry Viewer
1. The Windows Registry is responsible for which of the following?
a. Registering Windows software with Microsoft
b. Creating the NTFS file system
c. Booting into the Windows environment
d. Deleting files and folders
2. The Registry contains valuable forensics information, such as which of the following?
(Choose all that apply)
a. Account usernames and hashed passwords
b. Where software was purchased
c. When files were created or deleted
d. Duplicate copies of Microsoft Word documents
3. Registry Viewer can recover forensics information, such as _____________, that can’t be
viewed in Windows Registry Editor.
, a. when software was purchased
b. what software is considered illegal
c. the version of the HFS+ file system
d. a history of Web sites visited
4. Which of the following statements is true?
a. The Registry contains information on the Windows environment
b. The Registry contains a list of Linux files.
c. The Registry doesn’t contain useful forensics information
d. The Registry does not contain hard disk information that has been deleted
5. The Registry is composed of __________ hives containing system data.
a. three
b. seven
c. five
d. four
CHAPTER TWO: The Investigator’s Office And Laboratory
Lab 2.1 Securely Wiping a USB Drive
1. Which statement about deleted files is true?
a. Deleted files can be rebuilt from remnants that haven’t been overwritten
b. After a file has been deleted from the Recycle Bin, it can’t be recovered
c. After a file pointer has been deleted in the MFT, it can not be recovered
d. The MFT isn't updated until all file remnants have been overwritten with new data.
2. When a file is deleted from a storage device, only the pointer to the file location is
removed. True or False?
3. According to NIST standards, how many wipes should be done to erase data completely?
a. Three
b. One
c. Two
d. Seven
FORENSICS AND INVESTIGATIONS
CHAPTER ONE: UNDERSTANDING THE DIGITAL FORENSICS
PROFESSION AND INVESTIGATIONS
Lab 1.1: Installing OSForensics in Windows
1. Why is OSForensics an important forensics tool?
a. It can be used to troubleshoot a computer
b. It can be used to test a computer’s operability
c. It can be used to help digital forensics investigators locate potential evidence
d. It can be used to recover human DNA
2. OSForensics can search for which of the following types of files? (Choose all that apply)
a. Email
b. Graphic
c. Deleted files
d. Registry files
3. What’s a file hash?
a. A hexadecimal value obtained mathematically from a file
b. The name of a software program’s vendor or manufacturer
c. The size of the computer’s hard disk
d. The file size of potential evidence
4. Which of the following statements is true?
a. File hash information can be found in File Explorer
b. File hashes can verify that the chain of custody has been maintained
c. File hashes can indicate that software has been purchased legally
d. File hashing values are not important to a digital investigator
5. OSForensics uses hash sets for what purpose?
a. Hash sets are used to identify known file hashes used by OSs and applications
b. Hash sets are used to identify the OS version in use on the computer being
investigated
, c. Hash sets are used to see which software has been purchased legally
d. Hash sets are used to copy evidence from the investigated computer to a USB drive
Lab 1.2 Installing FTK Imager
1. FTK Imager can be used to search all the following excerpt what?
a. Deleted files
b. Documents
c. Graphics
d. Encrypted files
2. FTK Imager is used primarily to produce which of the following?
a. Hard disk images that can be analyzed by forensics software
b. Forensic evidence
c. Computer manufacturers information
d. DNA evidence
3. Why do forensics investigators work bit-stream images?
a. Image files are smaller than the actual hard disk files.
b. Only image files contain forensic evidence
c. An image file can be examined without damaging the original image evidence
d. The original storage device can’t be analyzed without the original computer
4. FTK Imager can detect and view encrypted files. True or False?
5. Bit-stream imaging is the process of ___________________
a. creating hash values from file on a storage device
b. extracting readable information from encrypted files
c. duplicating data on storage devices for forensic analysis
Lab 1.3 Installing ProDiscover Basic
1. ProDiscover can be used to search all the following file systems except __________
a. FAT16
b. HFS+
c. NTFS
d. FAT32
,2. The Exif format contains information on which of the following? (Choose all that apply)
a. Date and time a photo was taken
b. The shutter speed
c. When the camera was purchased
d. The camera model
3. ProDiscover can search digital devices for which of the following? (Choose all that apply)
a. Macintosh files
b. RAID data
c. Linux files
d. UNIX files
4. ProDiscover isn’t capable of producing file bash values. True or False?
5. Which of the following statements is correct?
a. ProDiscover can decrypt encrypted Microsoft Word documents
b. ProDiscover can decrypt encrypted Microsoft Excel spreadsheets
c. ProDiscover can decrypt encrypted email files
Lab 1.4 Installing AccessData Registry Viewer
1. The Windows Registry is responsible for which of the following?
a. Registering Windows software with Microsoft
b. Creating the NTFS file system
c. Booting into the Windows environment
d. Deleting files and folders
2. The Registry contains valuable forensics information, such as which of the following?
(Choose all that apply)
a. Account usernames and hashed passwords
b. Where software was purchased
c. When files were created or deleted
d. Duplicate copies of Microsoft Word documents
3. Registry Viewer can recover forensics information, such as _____________, that can’t be
viewed in Windows Registry Editor.
, a. when software was purchased
b. what software is considered illegal
c. the version of the HFS+ file system
d. a history of Web sites visited
4. Which of the following statements is true?
a. The Registry contains information on the Windows environment
b. The Registry contains a list of Linux files.
c. The Registry doesn’t contain useful forensics information
d. The Registry does not contain hard disk information that has been deleted
5. The Registry is composed of __________ hives containing system data.
a. three
b. seven
c. five
d. four
CHAPTER TWO: The Investigator’s Office And Laboratory
Lab 2.1 Securely Wiping a USB Drive
1. Which statement about deleted files is true?
a. Deleted files can be rebuilt from remnants that haven’t been overwritten
b. After a file has been deleted from the Recycle Bin, it can’t be recovered
c. After a file pointer has been deleted in the MFT, it can not be recovered
d. The MFT isn't updated until all file remnants have been overwritten with new data.
2. When a file is deleted from a storage device, only the pointer to the file location is
removed. True or False?
3. According to NIST standards, how many wipes should be done to erase data completely?
a. Three
b. One
c. Two
d. Seven
